1 2 Previous Next 14 Replies Latest reply on Jun 6, 2012 2:44 AM by moustafahoussami

    yahoo messenger and skype with ssl rule

      Dear,

      I used MWG 7, and enable proxy yahoo messenger. When enable SSL scanner rule set  in the library rule set, I cannot login to yahoo messenger and skype.

      I try adding and fetch certificate of yahoo (login,yahoo.com) and skype (*.skype.com) into certificate whitelist, but they still cannot work.

      And then I disable SSL scanner rule set, skype and yahoo messenger work well. But if disable SSL scanner is MWG cannot scan and filter https sites. Please tell me how to combine the rule better. 

        • 1. Re: yahoo messenger and skype with ssl rule
          Troja

          Try this Rule at your SSL Scanner Configuration. Skype uses a non RFC compliant SSL Version and MWG Shows an Error 500.

           

          Rule Criteria:

          Property: Header.Request.Get (String)

          Operator: matshc

          Value: *Web Phone*

           

          Action: Stop Rule Set

           

          Cheers, Thorsten

          • 2. Re: yahoo messenger and skype with ssl rule

            Hi Thorsten,

             

            I have tried to use the rule as mention, but it simply doesn’t work. Now I am stuck in a situation where by I am unable to enable the SSL scanner as Skype refuses to work once it is turned on.

             

            If there are any other suggestion pl let me know.

             

            Rgds,

             

            Dinesh

            • 3. Re: yahoo messenger and skype with ssl rule
              Troja

              Hm, i thinf you are using a completely different Rule Set than me.

               

              - are you authenticating your webtraffic?

              - is there an Error 500 in the webAccess Log?

               

              I changed much settings at my Webgateway, no Default Rules. :-)

               

              You can olso define a Log File for your Source IP or activating RuleTracing to show what´s going on. So you can see if skype is connecting to your webgateway.

               

              Btw, you MUST block all traffic on your client for skype.exe and allowing the Proxy connection for skype.exe. Otherwise, skype always tries to connect directly. i built such a Rule Set with HIPS.

               

              cheers, Thorsten

              • 4. Re: yahoo messenger and skype with ssl rule
                michael_schneider

                Hello,

                 

                Skype is a beast . It is not a chat protocol as generally assumed, but a P2P protocol. It uses a built in encryption to secure the data on the wire. It is port invasive and will try to use ALL ports, first UDP then TCP. If it can' get out on any of them it will try to use the proxy defined for the system and will do a CONNECT on port 443 to several IPs. There is only 1 central login server which is connected to once in a while, but not generally for communication. As it is using port 443 and CONNECT MWG assumes that this a SSL session and tries to start the SSL handshake, which of course will fail, as the encryption is hardcoded and therefore no keys are exchanged etc. So you can only allow Skye by turning off SSL Scanner OR whitelisting access to IPs. Careful here, as this might be a security risk - doing it or not is of course up to you !

                A rule could look like:

                Skype.jpg

                For Yahoo, you might want to check that if you blocked the IM category, which would prevent the client from connecting, it might be that Yahoo is also using a similar approach as above. In this case, create an exemption for the server listed in Yahoo Proxy of MWG OR use the MWG Yahoo proxy

                 

                my best,

                Michael

                • 5. Re: yahoo messenger and skype with ssl rule

                  Hi Michael,

                   

                  As you have mentioned, "by taking risk", is it still possible to allow Skpye while the SSL scanner is active. If so where do I place the mentioned rule?

                   

                  Pl give us some light on this.

                   

                  Dinesh

                  • 6. Re: yahoo messenger and skype with ssl rule
                    michael_schneider

                    Good morning,

                     

                    the rule in question would go into SSL Scanner (cklick on image to enlarge):

                    allow_skype.jpg

                     

                    The log will look like this:

                    #time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res"
                    [03/Sep/2010:07:17:21 +0000] "" 1.2.3.4 0 "CONNECT https://94.156.131.104/ HTTP/1.1" "" "-" "" 0 "" "" "0"
                    [03/Sep/2010:07:17:21 +0000] "" 1.2.3.4 0 "CONNECT https://213.240.246.162/ HTTP/1.1" "" "-" "" 0 "" "" "0"
                    [03/Sep/2010:07:17:23 +0000] "" 1.2.3.4 0 "CONNECT https://195.46.253.218/ HTTP/1.1" "" "-" "" 0 "" "" "0"
                    [03/Sep/2010:07:17:27 +0000] "" 1.2.3.4 200 "GET http://ui.skype.com/ui/3/2.8.0.851/en/getlatestversion?format=plist&uhash=11fc7c 98b5e9fe7007b15a0d552615280&ver=2.8.0.851&machine=MacBookPro5%2c5&osversion=1064 HTTP/1.1" "" "-" "" 631 "" "" "0"
                    [03/Sep/2010:07:17:32 +0000] "" 1.2.3.4 0 "CONNECT https://212.187.172.78/ HTTP/1.1" "" "-" "" 0 "" "" "0"
                    [03/Sep/2010:07:17:32 +0000] "" 1.2.3.4 500 "https://81.190.227.230/ " "" "-" "" 0 "" "" "0"
                    [03/Sep/2010:07:17:38 +0000] "" 1.2.3.4 0 "CONNECT https://193.95.154.38/ HTTP/1.1" "" "-" "" 0 "" "" "0"
                    [03/Sep/2010:07:17:38 +0000] "" 1.2.3.4 0 "CONNECT https://204.9.163.211/ HTTP/1.1" "" "-" "" 0 "" "" "0"
                    [03/Sep/2010:07:17:40 +0000] "" 1.2.3.4 500 "https://83.9.104.14/ " "" "-" "" 0 "" "" "0"

                     

                     

                    I am attaching my SSL Scanner rule set for reference. If you want to import, go to Policy > Add > From Library, in the library choose import from file.

                     

                    best,

                    Michael

                    • 7. Re: yahoo messenger and skype with ssl rule

                      Thanks Michael, Skype works with SSL scanner enabled. Few more clarification I have:

                      Just curious,

                      1) Is there a way to block file transfer / voice / video over Skype?

                      2) Is there a possibility to allow Skype for only certain group of users, while the rest to be denied? (of course with SSL scanner enabled)

                       

                      Thanks & Rgds,

                       

                      Dinesh

                      • 8. Re: yahoo messenger and skype with ssl rule
                        michael_schneider

                        Hello,

                         

                        controllling particular protocol features, is a functionality we can't provide as of today. If you want this, you can do so on your firewall (in case it is McAfee Firewall 8).

                         

                        For allowing Skype in general, you can use the MWG 7 rule engine to allow access to Skype using my supplied rule set and make that group/IP/User Aware.

                         

                        best,

                        Michael

                        • 9. Re: yahoo messenger and skype with ssl rule

                          Michael, can I make a "rule" aware of grp/IP/Usr or it can only work for "rule set"?

                          1 2 Previous Next